Hi, folks... I am sure that this 'feature' is well-known and there already a common-understanding of how to deal with it. Proxy users can use the squid to tunnel their SSH sessions any destination they like - at least if the port is allowed for the 'CONNECT' method. On my mind it is impossible for squid to distinguish SSL-wrapped http sessions from SSL-wrapped terminal connection as it cannot decrypt the encrypted data stream.
So much for the theory. Now how do 'normal administrators' handle this obvious security hole? I think that a handful of hackers at our company know quite well that we use Squid and will set up an ssh daemon on their home PC answering connection requests on port 443. Shall I only allow SSL on request? That would make people use the HTTP pages instead of the much more secure HTTPS websites for transmitting sensible data. Shall I block destination IP ranges which probably lead to home PCs in dialup networks? Or shall I buy an expensive commercial third-party proxy which is capable of doing a kind of 'man-in-the-middle-SSL-understanding-proxy' to filter out non-HTTP requests? I'd like to hear your opinions. Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All
pgp00000.pgp
Description: PGP signature
